Illinois Biometric Information Privacy Act (BIPA) Update

Justices Knowingly Interpret BIPA to Include ‘Annihilative,’ ‘Punitive’ and ‘Crippling Liability’ for Illinois Businesses

Overview


On February 17, 2023, the Illinois Supreme Court ruled in Cothron v. White Castle System, Inc., 2023 IL 128004, that claims accrue under the Illinois Biometric Information Privacy Act (BIPA) each time data is collected and disclosed rather than accrual occurring upon the first registration, collection or disclosure of biometric information and identifiers. This ruling will have a major impact on all future BIPA cases and will lead to negative implications for Illinois employers and other companies that collect biometric information about Illinois residents. As the dissent put it, this decision could have a “crippling,” “punitive” and “annihilative” impact on Illinois businesses.

In Depth


BIPA requires informed consent before the collection or disclosure of an individual’s biometric information through, for example, a time clock or electronic lock. Specifically, section 15(b) of the Act provides that a private entity may not “collect, capture, purchase, receive through trade, or otherwise obtain” a person’s biometric data without first providing notice to and receiving consent from the person. Section 15(d) provides that a private entity may not “disclose, redisclose, or otherwise disseminate” biometric data without consent.

The Cothron Court was asked to answer the certified question from the US Court of Appeals for the 7th Circuit whether “section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?” White Castle, supported by numerous amici, argued that only the first scan or disclosure should trigger a new claim under BIPA, while Cothron argued that each scan by a putative class member constitutes a new BIPA violation (that is, every clock in or clock out scan every time an employee scans into work could be a separate accrual or violation of BIPA). Indeed, even well-known plaintiffs’ firms were on the record in support of White Castle’s position.

Yet, continuing the axiom that if a BIPA ruling can go against defendants it will, in its 4-3 opinion, the Cothron Court held “that a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).” Essentially, this holding means that every collection and disclosure of biometric data between the same two parties (e.g., every time an employee scans in for a shift using his fingerprint) constitutes a new BIPA violation.

White Castle estimated that if Cothron can bring claims on behalf of as many as 9,500 current and former White Castle employees, where employees potentially scan their fingerprints multiple times per shift, damages in this action may exceed $17 billion. The court was cognizant of the extreme and absurd damages that could result in violations of BIPA but stated that it was not the court’s place to rewrite the statute simply because damages could be wildly excessive.

The court agreed with the 7th Circuit that private entities “would have ‘little incentive to course correct and comply if subsequent violations carry no legal consequences.’” (citing Cothron v. White Castle System, Inc., 20 F.4th 1156, 1165 (7th Cir. 2021)). While the majority “recognized the potential for significant damages awards under the Act,” it reasoned that “the legislature intended to subject private entities who fail to follow the statute’s requirements to substantial potential liability.”

Justice David Overstreet, writing for the dissent, disagreed with the majority opinion because it could “not be reconciled with the plain language of the statute,” the purpose behind BIPA, or case law. Justice Overstreet reasoned that a claim should accrue only upon the first scan, collection or transmission of biometric information and data. The dissent was also concerned with the decision leading to absurd results not intended by the legislature in passing BIPA.

The dissent’s reasoning was sound: Because an entity can obtain a person’s biometrics only once, the subsequent scans are not obtaining or collecting a scan – the entity already had the scan and nothing new was collected. According to the dissent, “The majority acknowledges that, in construing the Act as it has, the consequences may be harsh, unjust, absurd, or otherwise unwise.”

Finally, the dissent noted that “imposing punitive, crippling liability on businesses could not have been a goal of the Act, nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm.” This is the exact type of practical consideration that the majority “brushes . . . aside” when saying the legislature is the best entity to address excessive damages. The dissent may serve prophetic, however, because defendants will likely attack these excessive damages and absurd this interpretation of BIPA to argue that it is unconstitutional.

This ruling is likely to have a significant impact on BIPA litigations and resolutions going forward. It is hard to imagine that “crippling liability” is what the Illinois legislature had in mind when enacting BIPA. And it seems likely that the pathway forward will be new assaults against BIPA’s constitutionality, and, hopefully, the Illinois legislature will finally recognize the immediate need to amend BIPA.